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Abstract 

^^ , We reveal a natural algebraic problem whose complexity appears to interpolate 

between the well-known complexity classes BQP and NP: 

• Decide whether a univariate polynomial with exactly m monomial terms has a p-adic 
O ' rational root. 

-^ In particular, we show that while (*) is doable in quantum randomized polynomial 

— j ■ time when to = 2 (and no classical randomized polynomial time algorithm is known), 

(*) is nearly NP-hard for general to: Under a plausible hypothesis involving primes 
in arithmetic progression (implied by the Generalized Riemann Hypothesis for certain 
cyclotomic fields), a randomized polynomial time algorithm for (•) would imply the 

Q\ , widely disbelieved inclusion NPCBPP. This type of quantum/classical interpolation 

phenomenon appears to new. 

o ■ 

1 Introduction and Main Results 

o 

Thanks to quantum computation, we now have exponential speed-ups for important practical 
problems such as Integer Factoring and Discrete Logarithm |Sho97 3 . However, a fundamen- 
tal open question that remains is whether there are any NP-complete problems admitting 
c3 \ ? 

exponential speed-ups via quantum computation. Succinctly, this is the NP C BQP ques- 
tion, and a positive answer would imply that quantum computation can provide efficient 
algorithms for a myriad of problems that have occupied practicioners in optimization and 
computer science for decades |BV97j . (The classic reference |GJ79j lists dozens of such 
problems, and we briefly review the aforementioned complexity classes in Section 2 below.) 
However, the truth of the inclusion NPCBQP is currently unknown and widely disbelieved 
(as of early 2006). 

We present an algebraic approach to this question by illustrating a problem, involving 
sparse polynomials over Q p (the p-adic rationals), whose complexity appears to interpolate 
between the complexity classes BQP and NP. Our results thus suggest that sparse polyno- 
mials can shed light on the difference between BQP and NP. Indeed, one consequence of 
our results is a new family of problems which admit (or are likely to admit) BQP algorithms. 
Also, in addition to providing a new complexity limit for factoring polynomials over Q p , we 
can address questions posed earlier by Cox |Cox04j . and Karpinski and Shparlinski 
regarding sparse polynomials over finite fields. 
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Let us first review some necessary terminology: For any ring R containing the integers 
Z, let FEAS# — the .R-feasibility problem — denote the problem of deciding whether a 
given system of polynomials fi,...,fk chosen from Z[xi, . . . , x n ] has a root in R n . Observe 
then that FEASr and FEASq are respectively the central problems of algorithmic real 
algebraic geometry and algorithmic arithmetic geometry (see Section 11.11 below for further 
details). 

To measure the "size" of an input polynomial in our complexity estimates, we will es- 
sentially count just the number of bits needed to write down the coefficients and exponents 
in its monomial term expansion. This is the sparse input size, as opposed to the "dense" 
input size used frequently in computational algebra. 

Definition 1 Let f(x) '-=Y^iLi c i xCLi GZ[xi, ■ ■ -,%n] where x a% :=x° l u ■ ■ ■ x%" , Q^O for all i, 
and the a,i are distinct. We call such an f an n-variate m-nomial. Also let 

size(/) :=YZi (1 + Rog 2 (2 + \a\)] + Rog 2 (2 + |a M |)] + ■ ■ • + riog 2 (2 + \a n ,\)]), 
and size p (/) := size(/) + log (2 + p). (We also extend size, and thereby size p , additively 
to polynomial systems.) Finally, for any collection T of polynomial systems with integer 
coefficients, let FEAS^(JF) denote the natural restriction of FE AS r to inputs in T. o 

Observe that size(a + bx" + cx d ) = O(logrf) if we fix a, b, c, so the degree of a polynomial can 
sometimes be exponential in its sparse size. Since it is not hard to show that FEASq p (W 2 ) G P 
when p is fixed (cf. Section 3 below), it will be more natural to take the size of an input 
prime p into account as well. 

Definition 2 Let FEASq rimcs (resp. FEASq rimes (^ r )j denote the union of problems 
U FEASq p (resp. [J FEAS ( Q p (jF) y ) ; so that a prime p is also part of the input, and 

p prime p prime 

the underlying input size is size p . Also let Q n denote the product of the first n primes and 
define U m := {f <eZ[x\] \ f is an m-nomial} . o 

Observe that Z[#i] is thus the disjoint union |Jm>o^n- ^ ur results will make use of the 
following plausible number-theoretic hypothesis. 

Flat Primes Hypothesis (FPH) Following the notation above, there are absolute constants 

Q 

C>C>\ such that for any nGN, the set {1 + kQ n \ &G{1, . . . , 2™ }} contains at least ^- primes. 

Assumptions at least as strong as FPH are routinely used, and widely believed, in the 
cryptology and algorithmic number theory communities (see, e.g., |Mil76t IMih941 lKoi97. 
|Roj01at IHal 05j). In particular, we will see in Section [2.11 below how FPH is implied by 
the Generalized Riemann Hypothesis (GRH) for the number fields {Q(^q„)}neN) where u>m 
denotes a primitive M— root of unity 1 , but can still hold under certain failures of the latter 
hypotheses. 

Theorem 1 Following the notation above, FEASq rimes (W2) GBQP. However, assuming the 
truth of FPH, if FEAS Qprimos (Z[xi]) eC for some complexity class C, then NPCBPP U C. 
In particular, assuming the truth of FPH, FEAS QprimcB (Z[xi]) GBQP => NPCBQP. 

M.e., a complex number ojm with w^ = l; and uj^ = 1 => M\d 



Recall that a univariate polynomial has a root in a field K iff it possesses a degree 1 factor 
with coefficients in K. Independent of its connection to quantum computing, Theorem 1 
thus provides a new complexity limit for polynomial factorization over Q p [xi]. In particular, 
Theorem 1 shows that finding even just the low degree (p-adic) factors for sparse polynomials 
(with p varying) is likely not doable in randomized polynomial time. This complements 
Chistov's earlier deterministic polynomial time algorithm for dense polynomials and fixed p 
Chi91j. Theorem 1 also provides an interesting contrast to earlier work of Lenstra |Len9 9aj. 
who showed that one can at least find all low degree factors (in Q[:ri]) of a sparse polynomial 
in polynomial time. 

Remarks 1 While it has been known since the late 1990's that FEAS© ■ GEXPTIME 

Vprimes 

[M W9(\ \MW 97l (relative to our notion of input size), we are unaware of any earlier algo- 
rithms yielding FEASq ^^{J 7 ) G BQP ; for any non-trivial family of polynomial systems 
T . Also, while it is not hard to show that FEASq rimos is NP-hard from scratch, there ap- 
pear to be no earlier results indicating the smallest n such that FEASq r . mcs (Z[xi, . . . , x n ]) is 
NP-hard. o 

As for the quantum side of Theorem 1, the author is unaware of any other natural 
algebraic problem that interpolates between BQP and NP in the sense above. Moreover, 
since the exact complexity of the problems {FEASq rimcs (W m )} m > 3 is currently unknown, a 
BQP algorithm for any of these problems would yield a new family of algebraic problems - 
distinct from Integer Factoring or Discrete Logarithm — admitting an exponential quantum 
speed-up over classical methods. 

The only other problem known to interpolate between BQP and some classical com- 
plexity class arises from very recent results on the complexity of approximating a certain 
braid invariant — the famous Jones polynomial, for certain classes of braids, evaluated at an 
n— root of unity — and involves a complexity class (apparently) higher than NP. In brief: 
(1) seminal work of Freedman, Kitaev, Larsen, and Wang shows that such approximations 
can simulate any BQP computation, already for n = 5 |FK W02[ IFLW02J . (2) |AJL05j gives 
a BQP algorithm that computes an additive approximation for arbitrary n, and (3) [YW06 
shows that for arbitrary n, computing the most significant bit of the absolute value of the 
Jones polynomial is PP-hard. (Recall that BQP U NP U coNP C PP.) Our results thus 
provide a new alternative source for quantum/classical complexity interpolation. 

Let FEASp . denote the obvious finite field analogue of FEASo ■ • While we do not 

-"- primes o V:primcs 

yet know whether FEASq rimes (ZY2) is BQP-complete in any rigourous sense, we point out 

that FEASq rimcs (W 2 ) is polynomial-time equivalent to FEASp rimes (W2) (cf. Section 3 below), 

? 
and the inclusion FEASf Times (^2) G BPP is a well-known, decades-old open problem from 

algorithmic number theory (see, e.g., [BS961 Ch. 7] and |Gao05| ). Note also that the BQP- 



completeness of Integer Factoring and Discrete Logarithm are open questions as well. 

One can also naturally ask if detecting a degenerate root in Q p for / (i.e., a degree 1 
factor over Q p whose square also divides /) is as hard as detecting arbitary roots in Q p . Via 
our techniques, we can easily prove essentially the same complexity lower-bound as above 
for the latter problem. 



Corollary 1 Using size p (/) as our notion of input size, suppose we can decide for any input 
prime p and /gZ[iJ whether f is divisible by the square of a degree 1 polynomial in Q p [xi] ; 
within some complexity class C. Then, assuming the truth of FPU, NPCC U BPP. 

Let W p denote the finite field with p elements. Corollary 1 then complements an analogous 
earlier result of Karpinski and Shparlinski (independent of the truth of FPH) for detecting 
degenerate roots in C and the algebraic closure of ¥ p . 

Note also that while the truth of GRH usually implies algorithmic speed-ups (in con- 
texts such as primality testing |Mil76j . complex dimension computation |Koi97j . detection 
of rational points |Roj01a| , or class group computation |Hal05| ) . Theorem [T] and Corollary 
1 instead reveal complexity speed-limits implied by GRH. 

1.1 Open Questions and the Relevance of Ultrametric Complexity 

Complexity results over one ring sometimes inspire and motivate analogous results over 
other rings. An important early instance of such a transfer was the work of Paul Cohen, on 
quantifier elimination over R and Q p |Coh69j . To close this introduction, let us briefly review 
how results over Q p can be useful over Q, and then raise some natural questions arising from 
our main results. 

First, recall that the decidability of FEASq is a major open problem: decidability for the 
special case of cubic polynomials in two variables would already be enough to yield significant 
new results in the direction of the Birch-Swinnerton-Dyer conjecture (see, e.g., jSi!96t Ch. 
8]), and the latter conjecture is central in modern number theory (see, e.g., jHSOOj ). The fact 
that FEASz is undecidable is the famous negative solution of Hilbert's Tenth Problem, due 
to Matiyasevitch and Davis, Putnam, and Robinson |Mat73| iDLPvGOOJ . and is sometimes 



taken as evidence that FEASq may be undecidable as well (see also |Poo03j ) . 

From a more positive direction, much work has gone into using p-adic methods to find 
an algorithm for FEASq(Z[x, y]) (i.e., deciding the existence of rational points on algebraic 
curves), via extensions of the Hasse Principle 2 (see, e.g., jPoo01b| IPoo06j ). Algorithmic 
results over the p-adics are also central in many other computational results: polynomial 
time factoring algorithms over Q[xi] |LLL82j . computational complexity |Roj02|, and elliptic 
curve cryptography |Lau04| . 

Our results thus provide another step toward understanding the complexity of solving 
polynomial equations over Q p , and reveal yet another connection between quantum com- 
plexity and number theory. Let us now consider some possible extensions of our results. 

Question 1 Is FEAS Fprimos (Z[xi]) NP-hard? 

Question 2 Given a prime p and an f E¥ p [xx], is it NP-hard to decide whether f is divisible 
by the square of a degree 1 polynomial in ¥ p [x\] (relative to size p (f))? 

2 The Hasse Principle is the assumption that an equation F(xi, . . . , x n ) = having roots in Q™ for all 
primes p must have a root in Q™ as well. The Hasse Principle is a theorem for quadratic polynomials, is 
conjectured to hold for equations defining smooth plane curves, but fails in subtle ways for cubic polynomials 
(see, e.g., |Poo01a| ). 



David A. Cox asked the author whether FEAS Fprimos (Z[x x ]) G P around August 2004 |Cox04j . 

7 

and Erich Kaltofen posed a variant of Question 1 -- FEASf rimes (£4) £ P - - a bit earlier 
in |Kal03j . Karpinski and Shparlinski raised Question 2 toward the end of |KS99j . Since 
Hensel's Lemma (cf. Section 2 below) allows one to find roots in Q p via computations in the 
rings Z/j/Z, Theorem^ thus provides some evidence toward positive answers for Questions 
1 and 2. Note in particular that a positive answer to Question 1 would provide a definitive 
complexity lower bound for polynomial factorization over F P [xi], since randomized polyno- 
mial time algorithms (relative to the dense encoding) are already known (e.g., Berlekamp's 
algorithm BS96, Sec. 7.4]). 



On a more speculative note, one may wonder if quantum computation can produce new 
speed-ups by circumventing the dependence of certain algorithms on GRH. This is motivated 
by Hallgren's recent discovery of a BQP algorithm for deciding whether the class number 
of a number field of constant degree is equal to a given integer [Hal05j: The best classical 
complexity upper bound for the latter problem is NP fl coNP, obtainable so far only under 
the assumption of GRH [BvS89l lMcC89| . Unfortunately, the precise relation between BQP 
and NP fl coNP is not clear. However, could it be that quantum computation can expunge 
the need for GRH in an even more direct way? For instance: 



Question 3 Is there a quantum algorithm which generates, within a number of qubit oper- 

2 , 
3 



ations polynomial in n, a prime of the form kQ n + 1 with probability >-? 



Indeed, it is natural to try to remove the dependence of our main results on the hypothesis 
FPH. Here is one possible route. 

Question 4 Let FEASo • .., , denote the obvious generalization of FEASo ■ to arbi- 

* Vprimc_idcals J J Vpnmcs 

trary finite algebraic extensions of the fields {Q p } p a prime- Then FEASq rimcJdcals (Z[a;i]) is 
NP-hard, independent of FPH. 

We are currently pursuing a solution to the last question. In particular, it appears likely 
that FEAS Qprimcjdcals (W 2 )G BQP. 

Our main results are proved mostly in Sectional after the development of some necessary 
theory in Section |2] below. For the convenience of the reader, we recall the definitions of all 
relevant complexity classes and review certain types of Generalized Riemann Hypotheses. 

2 Background and Ancillary Results 

Recall the containments of complexity classes P C BPP C BQP C PP C PSPACE and 
P C NP fl coNP C NP U coNP C PP, and the fact that the properness of every preceding 
containment is a major open problem |Pap95[ [BV97J. We briefly review the definitions of 
the aforementioned complexity classes below (see |Pap95[ IBV97J for a full and rigourous 
treatment): 

P The family of decision problems which can be done within (classical) polynomial-time. 



BPP The family of decision problems admitting (classical) randomized polynomial-time al- 
gorithms that terminate with an answer that is correct with probability at least 3 |. 

BQP The family of decision problems admitting quantum randomized polynomial-time 
algorithms that terminate with an answer that is correct with probability at least 3 | 
[BV97J . 

NP The family of decision problems where a (< Yes ,J answer can be certified within 
(classical) polynomial-time. 

coNP The family of decision problems where a ' ' No ' ' answer can be certified within (clas- 
sical) polynomial-time. 

PP The family of decision problems admitting (classical) randomized polynomial-time al- 
gorithms that terminate with an answer that is correct with probability strictly greater 
than |. 

PSPACE The family of decision problems solvable within polynomial-time, provided a number 
of processors exponential in the input size is allowed. 

Now recall that 3CNFSAT is the famous seminal NP-complete problem |G.179| which 
consists of deciding whether a Boolean sentence of the form B(X) = Ci(X) A • ■ ■ A C k (X) 
has a satisfying assignment, where Ci is of one of the following forms: 

Xj V XjV X k , -iXiV XjV X k: -iJQ V -<Xj V X k , ->Xi V -<Xj V -<x k7 
i,j, k£ [3n], and a satisfying assigment consists of an assigment of values from {0, 1} to the 
variables X±, . . . , X% n which makes the equality B(X) = 1 true. 4 Each Ci is called a clause. 

We will need a clever reduction from 3CNFSAT to feasibility testing for univariate 
polynomial systems over certain fields. 

Definition 3 Letting Q n denote the product of the first n primes, let us inductively define a 
homomorphism V n - - the (n— ) Plaisted morphism — from certain Boolean polynomials 
in the variables X u . . . , X n to Z[ Xl ], as follows: (1) V n {0) := 1, (2) V n {X % ) :=x^ n/Pl - 1, (3) 
V n \^B) := y , B s , for any Boolean polynomial B for which V n {B) has already been defined, 
(4) V n [B\ V B 2 ) :=lcm(V n (Bi) ,P n (i? 2 )) , for any Boolean polynomials B\ and B 2 for which 
V n {B\) and V n (B 2 ) have already been defined, o 

Lemma 1 For alln&N and all clauses C(Xi,Xj,X k ) withi,j,k<n, we have size(V n (C)) = 
0(n 2 ). Furthermore, if K is any field possessing Q n distinct Q n — roots of unity, then a 
3CNFSAT instance B(X) :=C\(X) A ■ • ■ A C k (X) has a satisfying assignment iff the zero 
set in K of the polynomial system Fb '■— (Pn(Ci), . . . , V n (C k )) has a root ( satisfying ( Qn — 1. 



3 It is easily shown that we can replace | by any constant strictly greater than ^ and still obtain the same 
family of problems |Pap95| . 

4 Throughout this paper, for Boolean expressions, we will always identify with ' 'False' ' and 1 with 
1 ' True ' ' . 



David Alan Plaisted proved the special case K = C of the above lemma in |Pla84j . His proof 
extends with no difficulty whatsoever to the more general family of fields detailed above. 
Other than a slightly earlier (and independent) observation of Kaltofen and Koiran [KK05J, 
we are unaware of any other variant of Plaisted's reduction involving a field other than C. 

Let us recall a version of Hensel's Lemma sufficiently general for our proof of Theorem 
[Q along with a useful characterization of certain finite rings. Recall that for any ring R, R* 
is the group of multiplicatively invertible elements of R. 

Hensel's Lemma (See, e.g., ' t RobOO, Pg. 48].) Suppose f £ Z p [xi] and x £ Z p satis- 
fies f(x) = (mod p e ) and ord p f'(x) < |. Then there is a root ( £ Z p of f with ( = 
x (mod p £ -° rd pf'( x )} andord p f'(()=ord p f'(x). ■ 

Lemma 2 Given any cyclic group G, a EG, and an integer d, the equation x d = a has a 
solution iff the order of a divides cd f d u G) ■ In particular, F* is cyclic for any prime power 
q, and (Z/j/Z)* is cyclic for any (p,£) with p an odd prime or £ < 2. Finally, for £>3, 
(Z/2^Z)* = {-l,l}x {l^^ 2 ^ 3 ,...^ 2 '" 2 " 1 mod2 £ }. ■ 

The last lemma is standard (see, e.g., [BS96, Ch. 5]). 

We will also need the following result on an efficient randomized reduction of FEAS^(Z[xi] 
to FEASa'(Z[o;i] 2 ). Recall that C p — the p-adic complex numbers — is the metric closure 
of the algebraic closure of Q p , and C p is algebraically closed. 

Lemma 3 Suppose /i, . . . , fk £ Z[xi] \ {0} are polynomials of degree < d, with k>3. Also 
let Zx{fi, • • • , fk) denote the set of common zeroes of fi, . . . , fk in some field K. Then, if 
a=(a%, . . . , Ok) and b= (pi, . . . , bk) are chosen uniformly randomly from {1, . . . , 18dk 2 } 2k , we 
have 

Piob( y Z K {zt 1 a l f l ,Etibif l )=ZK(fu---Jk)))>l 
for any K £ {C, C p }. 

While there are certainly earlier results that are more general than Lemma El (see, e.g., 
GH931 Sec. 3.4.1] or |Koi97| Thm. 5.6]), Lemmainiis more direct and self-contained for our 



purposes. For the convenience of the reader, we provide its proof. 

Proof of Lemma 02 Assume fi(x) := ^2j =0 Ci y jX l for all i £ {1, ...,k}. Let 

W ■= (UtiZM)) \ Z K (f u ...,f k ) and <f(u,C) ■= Eti^(C) for any ( £ W. Note 
that #W < kd and that for any fixed ( £ W, the polynomial <p(u, () is linear in u and 
not identically zero. By Schwartz's Lemma jSchSOj . for any fixed ( £ W, there are at most 
kN k ~ 1 points u £ {1, . . . , N} k with cp(u, C) = 0. So then, there at most dk 2 N k ~ l points 
u£{l, . . . , N} k with {p(u,() = for some (eW. 

Clearly then, the probability that a uniformly randomly chosen pair (a, b) £ {1, ... , N} 2k 
satisfies ip(a, () = (p(b, () = for some ( £ W is bounded above by "*%-. So taking N— 18dk 2 
we are done. ■ 

2.1 Review of Riemann Hypotheses 

Primordial versions of the connection between analysis and number theory are not hard to 
derive from scratch and have been known at least since the 19— century. For example, letting 



C( s ) '■ = Y^=i ~^ denote the usual Riemann zeta function (for any real number s> 1), one 
can easily derive with a bit of calculus (see, e.g., jTFOOl pp. 30-32]) that 

C(s)= r, and thus -^f^=> -±-L. 

p prime P ■» v. / n= i 

where A is the classical Mangoldt function which sends n to logp or 0, according as n = p m 
for some prime p (and some positive integer m) or not. For a deeper connection, recall that 
7r(x) denotes the number of primes (in N) < x and that the Prime Number Theorem 
(PNT) is the asymptotic formula ir(x) ~ j^, for x — > oo. Remarkably then, the first 
proofs of PNT, by Hadamard and de la Vallee-Poussin (independently, in 1896), were based 
essentially on the fact that C,{f3 + ij) has no zeroes on the vertical line (3= l. 5 

More precisely, writing p = (3 + 27 for real /3 and 7, recall that ( admits an analytic 
continuation to the complex plane sans the point 1 [TF00, Sec. 2]. 6 In particular, the only 
zeroes of £ outside the critical strip {/? = /? -M7 | 0</?<l} are the so-called trivial zeroes 
{—2, —4, —6, ...,}. Furthermore the zeroes of ( in the critical strip are symmetric about 
the critical line /?=§ and the real axis. The Riemann Hypothesis (RH), from 1859, is 
then the following assertion: 



(RH) All zeroes p — /3 + ry of ( with /3>0 lie on the critical line f3- 



2' 



Among a myriad of hitherto unprovably sharp statements in algorithmic number theory, it 



is known that RH is true 



"(*) - K & 



widely agreed to be the most important prob 



= 0(v/xlogx) jTFOOj . In particular, RH is 
em in modern mathematics. Since May 24, 



2000, RH even enjoys a bounty of one million US dollars thanks to the Clay Mathematics 
Foundation. 

Let us now consider the extension of RH to primes in arithmetic progressions: For any 
primitive M— root of unity u>m, define the (cyclotomic) Dedekind zeta function via the 
formula (q(oj m )(s) := ^2 a (J J a)s , where ranges over all nonzero ideals of Z[um] (the ring of 
algebraic integers in <Q>(um)), A/" denotes the norm function, and s> 1 BS96J. Then, like 
C, the function (q(w m ) a l so admits an analytic continuation to C\{1} (which we'll also call 
Cq(w m ))> Cq(u> m ) has trivial zeroes {—2, —4, —6, ...,}, and all other zeroes of Cq(w m ) ue m the 
critical strip (0, l)xR [LOTTj. (The zeroes of Cq(^ m ) i n ^ ne critical strip are also symmetric 
about the critical line | x R and the real axis.) We then define the following statement: 

(GRHq( Wa/ )) 7 For any primitive M— root of unity uo M) all the zeroes p = (3 + «7 
of Cq(w m ) with /?>0 lie on the critical line (3 = \. 

In particular, letting tt(x, M) denote the number of primes p congruent to 1 mod M satisfying 
p<x, it is known that GRHq( Wjv/ ) is true •<=>• ir(x, M) t^t f* ^ =0 (-^(logx + logM)), 

5 Shikau Ikehara later showed in 1931 that PNT is in fact equivalent to the fact that ( has no zeroes on 
the vertical line f3—l (the proof is reproduced in DMcK72 ). 

6 We'll abuse notation henceforth by letting £ denote the analytic continuation of £ to C \ {1}. 

7 There is definitely conflicting notation in the literature as to what the "Extended" Riemann Hypothesis 
or "Generalized" Riemann Hypothesis are. We thus hope to dissipate any possible confusion via subscripts 
clearly declaring the field we are working with. 



where f(M) is the number of k G {1,...,M — 1} relatively prime to M. (This follows 
routinely from the conditional effective Chebotarev Theorem of |L077| Thm. 1.1], taking 



K = Q and L = Q(u>m) in the notation there. One also needs to recall that the discriminant 
of Q(uj m ) is bounded from above by M^ M > JBS961 Ch. 8, pg. 260].) 

From the very last estimate, an elementary calculation shows that FPT is implied by 
the truth of the hypotheses {GRHQ^ Qn )} neN . However, we point out that FPT can still 
hold even in the presence of infinitely many non-trivial zeta zeroes off the critical line. For 
instance, if we instead make the weaker assumption that there is an e > such that all 
the non-trivial zeroes of {C«20Q n )}neN have real part < \ + e, then one can still prove the 



weaker inequality 



„( x ,M)-^fZg- t =o(x^(logx + logM)) (see, e.g, (HnHcEU). 
Another elementary calculation then shows that this looser deviation bound still suffices to 
yield FPT. In fact, one can even have non-trivial zeroes of Cq(luq u ) approach the line {(3 = 1} 
arbitrarily closely, provided they do not approach too quickly as a function of n. (See |Roj06 
for further details.) 



3 The Proofs of Our Main Results 

3.1 The Univariate Threshold Over Q p : Proving Theorem [T] 

The first assertion rests upon a quantum algorithm for finding the multiplicative order 
of an element of (Z/|/Z)* (see jSho97[ IBL95J ). once we make a suitable reduction from 
FEASq rimos . The second assertion relies on properties of primes in specially chosen arith- 
metic progressions, via our generalization (cf. Section 2) of an earlier trick of Plaisted [Pla84j. 



Proof of the First Assertion: First note that it clearly suffices to show that we can 



decide (with error probability < |, say) whether the polynomial f(x) : = x d — a has a root in 
Q p , using a number of qubit operations polynomial in size(a) + log<i. (This is because we 
can divide by a suitable constant, and arithmetic over Q is doable in polynomial time.) The 
case a = always results in the root 0, so let us assume a^O. Clearly then, any p-adic root 
( of x d — a satisfies dord p ( = ord p a. Since we can compute ord p a and reductions of integers 
mod d in P [BS961 Ch. 5], we can then clearly assume that d\ord p a (for otherwise, there can 
be no root over Q p ) . Moreover, by rescaling x by an appropriate power of p, we can assume 
further that ord p a = 0. 

Now note that /'(C) = d( d ~ 1 and thus ord p f'(() =ord p (<i). So by Hensel's Lemma, it suf- 
fices to decide whether the mod p l reduction of / has a root in Z/pZ, for 
£ = 1 + 2ord p (i. (Note in particular that sizeQr/) = 0(log(p) log(<i)) which is polynomial 
in our notion of input size.) By Lemma El we can easily decide the latter feasibility problem, 
given the multiplicative order of a in (Z/j/Z)*; and we can do the latter in BQP by Shor's 
seminal algorithm for computing order in a cyclic group Sho97, pp. 1498-1501], provided 
p e ^{8, 16, 32, . . .}. So the first assertion is proved for p e ^{8, 16, 32, . . .}. 

To dispose of the remaining cases p e G {8, 16, 32, . . .}, write a = ( — l) a 5 b and observe that 
such an expression is unique, by the last part of Lemma 121 The first part of Lemma 121 then 
easily yields that x d — a has a root iff 

(a odd ^> d is odd)A(the order of 5 6 divides cd L 2 ^- 2 ) )- 



In particular, we see that x d — a always has a root when d is odd, so we can assume 
henceforth that d is even. 

Letting b be the order of 5 b , it is then easy to check that the order of a is either b or 
2b, according as a is even or odd. Moreover, since d is even, we see that x d — a can have 
no roots in (Z/2 £ Z)* when a is odd. So we can now reduce the feasibility of x d — a to two 
order computations as follows: Compute, now via Boneh and Lipton's quantum algorithm 
for order computation in Abelian groups JBL951 Thm. 2], the order of a and —a. Observe 
then that a is odd iff the order of a is larger (and then x d — a has no roots in (Z/2 Z)*), so 
we can assume henceforth that a has the smaller order. To conclude, we then declare that 
x d — a has a root in Q 2 iff the order of a divides 2—. This last step is correct, thanks to 
the first part of Lemma [21 so we are done . 



Proof of the Second Assertion: First note that size(Q n ) = O(nlogn), via the Prime 
Number Theorem. Observe then that the truth of FPH implies that we can efficiently find 
a prime p of the form kQ n + 1, with /cG {1, . . . , 2 n }, via random sampling, as follows: Pick 
a uniformly randomly integer from {1, . . . , 2 n } and using, say, the famous polynomial-time 
AKS primality testing algorithm AKS02 , verify whether kQ n + 1 is prime. We repeat this, 
no more than 9n c times, until we've found a prime. 

Via the elementary estimate (1 — jj) Bt < f, valid for all B,t>l, we then easily obtain 
that our method results in a prime with probability at least |. Since size(l + 2 n Q n ) = 
0(log(2 n Q n )) —0(n + nlogn), it is clear that our simple algorithm requires a number of 
bit operations just polynomial in n. Moreover, the number of random bits needed is clearly 
0(n c ). 

Having now probabilistically generated a prime p = 1 + kQ n , Lemma ^ then immedi- 
ately yields the implication "FEAS Qprimos (WS) G C ==► NP G C U BPP," where US : = 
{(/i, ...,/*) | fi G Z[xi] , k G N}: Indeed, if FE AS Qprimcs (US) G C for some complexity 
class C, then we could combine our hypothetical C algorithm for FEASq Times (US) with our 
randomized prime generation routine (and the Plaisted morphism for K = Q P ) to obtain an 
algorithm with complexity in C U BPP for any 3CNFSAT instance. 

So now we need only show that this hardness persists if we reduce US to systems con- 
sisting of just one univariate sparse polynomial. Clearly, we can at least reduce to pairs of 
polynomials via Lemma El so now we need only reduce from pairs to singletons. 

Toward this end, suppose a G Z is a non-square mod p and p is odd. Clearly then, the 
only root in F p of (the mod p reduction of) the quadratic form q(x, y) :=x 2 — ay 2 is (0, 0). 
Furthermore, by considering the valuations of x and y, it is also easily checked that the only 
root of q in Q p is (0, 0). Thus, given any (/, g) G Z[xi] 2 , we can form q(f, g) (which has size 
0(size(/) + size(g) + size(p))) to obtain a polynomial time reduction of FEASq rimcs (Z[:ci] 2 ) 
to FEASq rimos (Z[s 1 ]), assuming we can find a quadratic non-residue efficiently (If p— 2 then 
we can simply use q(x, y) :=x 2 + xy + y 2 and then there is no need at all for a quadratic non- 
residue.) However, this can easily be done by picking two random aGF p : With probability 
at least |, at least one of these numbers will be a quadratic non- residue (and this can be 
checked in P by computing a^ -1 -*/ 2 via recursive squaring). So we are done. ■ 
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3.2 Detecting Square- Freeness: Proving Corollary 1 

Given any / G Z[xi], observe that / has a root in Q p iff f 2 is divisible by the square of 
a degree 1 polynomial in Q p [xi]. Moreover, since size(/ 2 ) = 0(size(/) 2 ), we thus obtain a 
polynomial-time reduction of FEASq rimcs (Z[xi]) to the problem considered by Corollary 1. 
So we are done. ■ 
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